Cryptographic Techniques
Information Technologies for
IPR Protections
2003/11/12
R107, CSIE Building
�Outline
Data
security
Cryptography basics
Cryptographic systems
DES
RSA
C. H. HUANG IN CML
�Cryptography
Cryptography is the science of secret writing.
A cipher is a secret method of writing, where by
plaintext (cleartext) is transformed into a ciphertext.
The process of transforming plaintext into ciphertext is
called encipherment or encryption.
The reverse process of transforming ciphertext into
plaintext is called decipherment or decryption.
Encryption and decryption are controlled by
cryptographic keys.
C. H. HUANG IN CML
�Secret Writing
Encryption
Plaintext
Key
Ciphertext
Decryption
C. H. HUANG IN CML
�Attacks against Ciphers
Cryptanalysis is the science and study of methods
of breaking ciphers.
A cipher is breakable if it is possible to determine
the plaintext or key from the ciphertext, or to
determine the key from plaintext-ciphertext pairs.
Attacks
Ciphertext-only attack
Known-plaintext attack
Chosen-plaintext attack
C. H. HUANG IN CML
�Cryptographic Systems
A cryptographic system has five components:
A plaintext message space, M
A ciphertext message space, C
A key space, K
A familiy of enciphering transformations
Ek:MC
A family of deciphering transformations
Dk:CM
C. H. HUANG IN CML
�Cryptographic Systems (cont.)
Ek
C
ciphertext
plaintext
Dk
M
plaintext
Dk(Ek(m))=m ,for a key k
Cryptosystem
requirements:
Efficient enciphering/deciphering
Systems must be easy to use
The security of the system depends only on the
keys, not the secrecy of E or D
C. H. HUANG IN CML
�Secure Cipher
Unconditionally
secure
A cipher is unconditionally secure if no matter
how much ciphertext is intercepted, there is not
enough information in the ciphertext to
determine the plaintext uniquely.
Computationally
secure
A cipher is computationally infeasible to break.
C. H. HUANG IN CML
�Secrecy Requirements
It should be computationally infeasible to
systematically determine the deciphering
transformation Dk from intercepted c, even if
corresponding m is known.
It should be computationally infeasible to
systematically determine m from intercepted c.
protected
Ek
C
disallowed
C. H. HUANG IN CML
Dk
M
M
�Authenticity requirements
It should be computationally infeasible to
systematically determine the enciphering
transformation given c, even if corresponding m is
known.
It should be computationally infeasible to
systematically find c such that Dk(c) is a valid
plaintext in M.
Ek
protected
M
Dk
disallowed
C. H. HUANG IN CML
10
�Key-distribution cryptosystem
Message
Source
Encryption
Decryption
Receiver
Secure key transmission
Encrypting &decrypting are closely tied together.
The sender and the receiver must agree on the use of a
common key before any message transmission takes place.
A safe communication channel must exist between sender and
receiver
C. H. HUANG IN CML
11
�Public-key Cryptosystem
Message
Source
Encryption
Key source 1
Ek
Decryption
Receiver
Key source 2
Dk
In a public key cryptosystem, each participant is assigned a pair of inverse
keys E and D.
Different functions are used for enciphering and deciphering, one of
the two keys can be made public, provided that it is impossible to
generate one key from the other.
E can be made public, but D is kept secret.
The normal key transmission between senders and receivers can be
replaced by an open directory of enciphering keys, containing the keys
E for all participants.
C. H. HUANG IN CML
12
�Using Public-Key Cryptosystem to
Transfer Messages Secretly
When a person A wishes to send a message to a
person B, the receivers enciphering key EB is used
to generate the ciphertext EB(m). Since the key EB
is freely available, anyone can then encipher a
message destined for B. However, only the
receivers B with access to the decipher key DB can
regenerate the original text by performing the
inverse transform DB(EB(m)).
C. H. HUANG IN CML
13
�Digital Signature
Guaranteeing authenticity.
Let B be the recipient of a message m signed by
A. Then As signature must satisfy:
1. B must be able to able to validate As signature on m.
2. It must be impossible to forge As signature
3. If A disavow signing a message, a third party must
be able to resolve the distribute.
C. H. HUANG IN CML
14
�Using Public-key Systems to
Implement Digital Signatures
A signs m by computing c=DA(m)
2. B validates As signature by checking
EA(c) =m
3. A dispute can be judged by checking
whether EA(c) restores M in the same
ways as B.
Requirements:
1.
Dk(Ek(m))=Ek(Dk(m))=m
C. H. HUANG IN CML
15
�Secrecy and Authenticity in A
Public-Key System
m
DA(m)=S
EB(S)=C
Transformations applied
by sender
DB(C)=S
EA(S)=m
Transformations applied
by receiver
EA(DB(C))=EA(DB(EB(DA(M))))
=EA(DA(M))
=M
C. H. HUANG IN CML
16
�Reference
Cryptography
and Data Security, D.
Elizabeth and R. Denning, Purdue
University, 1998
FAQ about Todays Cryptography, RSA
Laboratory, (found in www.rsa.com)
The reference listed in course handout.
C. H. HUANG IN CML
17
�Conventional Cryptosystems
Using
substitution transform and
permutation transform
Substitution Ciphers
Running Key Ciphers
Transposition Ciphers
(Permutation ciphers)
Stream Ciphers
C. H. HUANG IN CML
18
�Substitution Ciphers
Replace
bits, characters, or blocks of
characters with substitutes.
Example: Caesar cipher
which
shift each letter in the English forward by K
positions (shifts past Z cycle back to A)
simple substitution cipher is easy to solve
by performing a frequency analysis.
C. H. HUANG IN CML
19
�Running Key Ciphers
The security of a substitution cipher generally
increases with the key length. In a running key
cipher, the key length is equal to the plaintext
message.(not using a fixed key alphabet)
E.g. use the text in a book as the key sequence.
The cipher may be breakable by Friedmans
method based on the observation that both
plaintext and key letters are high frequency ones
in natural language.
C. H. HUANG IN CML
20
�Permutation Ciphers
Rearrange bits or characters in the data.
INFORMATION TECHNIQUES FOR IPR
I
R
I
T
N
E
R
N O M T O E H I U S O I R
F
A
N C
Q
F
P
IRITNERNOMTOEHIUSOIRFANCQFP
What is the key?
Attacks: frequency analysis of characters.
C. H. HUANG IN CML
21
�Product Cipher
A product cipher is the composition of
functions F1,,Ft, where each Fi may be a
substitution or permutation.
Examples of product ciphers
DES
S
P
P
S
S
C. H. HUANG IN CML
22
�Data Encryption Standard (DES)
The
National Bureau of Standards
announced DES to be used in unclassified
U.S. Government applications.
DES enciphers 64-bit blocks with a 56-bit
key.
C. H. HUANG IN CML
23
�DES
An input block T is first transposed under an
initial permutation IP, giving T0=IP(T).
E.g. t1t2t64t58t50t7
Then T0 is passed through 16 iterations of function
f.
Finally, it is transposed under the inverse
permutation IP-1 to give the final result.
C. H. HUANG IN CML
24
�DES (cont.)
Let Ti denote the result of the ith iteration, and let
Li and Ri denote the left and right halves of Ti.
Then
Li=Ri-1
Ri=Li-1 f(Ri-1, Ki)
where is the exclusive-or operation and K is a
48-bit key.
After the last iteration, the left and right halves are
not changed , but instead passed to IP-1.
C. H. HUANG IN CML
25
�DES (cont.)
Calculate the function F(Ri-1, Ki):
1.
Using bit-selection Table E to expand 32-bit Ri-1 to a
48-bit block E(Ri-1). (Similar to permutation)
2. Calculate the exclusive-or of E(Ri-1) and Ki. Then
break the result into 8 6-bit blocks B1, , B8.
3. Use each 6-bit Bj b1b2b3b4b5b6 as input to a selection
(substitution ) and return a 4-bit block Sj(Bj).
b1b6row
b2b3b4b5column
C. H. HUANG IN CML
26
�DES (cont.)
Key calculation
Each iteration i uses a different 48-bit key Ki derived
from the initial key K, which is input as a 64-bit block
with 8 parity bits in positions 8, 16, , 64.
PC-1 discards the parity bits and transposes the
remaining 56-bit bits to obtain PC-1(K).
PC-1(K) is then split to C and D of 28-bits each, and
circular shifted by LS.
Ci=LSi(Ci-1), Di=LSi (Di-1)
Ki=PC-2(CiDi).
C. H. HUANG IN CML
27
�DES (cont.)
Deciphering
The same algorithm is used, except that the
order of key for each iteration is reversed. E.g.
K16 is used in 1st iteration, K15 is used in 2nd
iteration.
C. H. HUANG IN CML
28
�Disputes about DES
56-bit key length should be doubled?
A special purpose machine containing a million LSI
chips could try 256 keys in 1 day. The cost of this
machine is about $ 20 million. Amortized over 5 years,
the cost per day would be $10,000.
The same level of security could be obtained using
multiple encryption scheme.
The S-box may have hidden trapdoors.
The analysis is still classified.
C. H. HUANG IN CML
29
�Stream Ciphers
A random number generator (typically LFSR) may
be used to generate a stream of key characters,
each character of the key being added to a
character of the input stream to produce an output
character.
Message stream
Shift register
Cipher stream
Key stream
C. H. HUANG IN CML
30
�Cipher Based on Computationally
Difficult Problems
One-way function: C=f(P)
f: computationally simple
f-1:computationally difficult except in special cases
when supplementary information (keys) is
available
exponentiation and logarithm
multiplication/factoring
review of number theory
NP-complete problems
A systematic deterministic solution is likely to require
exponential time in the number of inputs.
C. H. HUANG IN CML
31
�Diffie Hellmans public-key
cryptosystem
Each user i in the system has a pair of keys Xi and
Yi, where
Yi=Xi mod q , 1Xiq-1, 1q-1, q: prime number
Xi is kept secret, but Yi is made public.
Sender i generates the key
Kij= YjXi mod q = XiXj mod q
from receiver js public key Yj and his own
private key Xi.
Receiver j obtains Kij similarly from Yi and Xj.
C. H. HUANG IN CML
32
�Security of Diffie Hellmans
System
To
generate the key Kij, one of the private
keys Xi or Xj must be known.
To generate the Kij from Yi and Yj, a form
of logarithm below must be computed:
Kij=Yi(log Yj) mod q
which is computationally difficult.
C. H. HUANG IN CML
33
�The RSA Algorithm
Each
user selects two large prime numbers
P and Q at random, and multiplies them to
obtain N=PQ.
N should be about 200 digits long and can be
made public
P and Q are kept secret.
C. H. HUANG IN CML
34
�The RSA Algorithm (cont.)
Using
P and Q, the user computes the Euler
totient function (N), representing the
number of positive integers relatively prime
to N.
(N)=(P)(Q) = (P-1) (Q-1)
The
user then chooses a quantity E less than
N and relatively prime to (N). The
quantity E is made public.
C. H. HUANG IN CML
35
�The RSA Algorithm (cont.)
Given a message M to be enciphered, M is broken
down into a sequence of quantities M1, M2, , Mp,
where each component Mi is represented by an
integer between 0 and N-1. The enciphering is
now done separately on each block Mi using the
public information E and N to generate a
cryptogram Ci as
Ci=MiE mod N
at most 2Log2(N) multiplications are required
C. H. HUANG IN CML
36
�The RSA Algorithm (cont.)
Using
the secret information(N), the user
can easily compute a quantity D such that
ED=1 mod(N) (deciphering key). I
ED=1 mod(N)=K(N)+1
D=K(N)+1/E.
C. H. HUANG IN CML
37
�The RSA Algorithm (cont.)
By
Fermats theorem: M(N)mod N =1 mod
N, or MK(N)+1 mod N =M mod N.
Deciphering procedure:
CiD mod N
= MiED mod N
= MiK(N)+1 mod N
= Mi mod N
= Mi
C. H. HUANG IN CML
38
�Using RSA
Suppose user A want to send a message m to user
B. User A creates the ciphertext c by c = mE mod
N, where E and N are user Bs public key.
User A sends c to user B.
User B decrypts c by calculate m = cD mod N. The
relation bewteen D and E ensures that B correctly
recovers m.
Since only B knows D, only B can decrypt the
message.
C. H. HUANG IN CML
39
�Attacks against RSA
Attacks
key
to recover all messages for a given
Factor the public modulus N to P and Q.With
P,Q, and E, the attacker can easily compute D.
Attacks
to recover a message
Guessed-plaintext attacks.
This attacks can be defeated by appending
random bits.
C. H. HUANG IN CML
40
�Security of RSA
The size of a key in the RSA algorithm typically refers
to the size of the modulus N. The two primes P and Q
should be roughly equal length.
The longer the key size, the greater the security, but
also the slower the RSA algorithm.
The 512-bit RSA-155 was factored in seven month
during 1999.
The RSA lab currently recommends key sizes of 1024
bits for corporate use.
C. H. HUANG IN CML
41
